/* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Androguard module used in this rule file is under development by people at https://koodous.com/. You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara */ import "androguard" rule sensual_woman: chinese { meta: author = "https://twitter.com/plutec_net" reference = "https://koodous.com/" condition: androguard.package_name(/com.phone.gzlok.live/) or androguard.package_name(/com.yongrun.app.sxmn/) or androguard.package_name(/com.wnm.zycs/) or androguard.package_name(/com.charile.chen/i) or androguard.package_name(/com.sp.meise/i) or androguard.package_name(/com.legame.wfxk.wjyg/) or androguard.package_name(/com.video.uiA/i) } rule chinese2 : sms_sender { meta: author = "https://twitter.com/plutec_net" reference = "https://koodous.com/" condition: androguard.package_name(/com.adr.yykbplayer/) or androguard.package_name(/sdej.hpcite.icep/) or androguard.package_name(/p.da.wdh/) or androguard.package_name(/com.shenqi.video.sjyj.gstx/) or androguard.package_name(/cjbbtwkj.xyduzi.fa/) or androguard.package_name(/kr.mlffstrvwb.mu/) } rule chinese_porn : SMSSend { meta: author = "https://twitter.com/plutec_net" reference = "https://koodous.com/" condition: androguard.package_name("com.tzi.shy") or androguard.package_name("com.shenqi.video.nfkw.neim") } rule chineseporn4 : SMSSend { meta: author = "https://twitter.com/plutec_net" reference = "https://koodous.com/" condition: androguard.activity(/com\.shenqi\.video\.Welcome/) or androguard.package_name("org.mygson.videoa.zw") } rule chineseporn5 : SMSSend { meta: author = "https://twitter.com/plutec_net" reference = "https://koodous.com/" condition: androguard.package_name("com.shenqi.video.ycef.svcr") or androguard.package_name("dxas.ixa.xvcekbxy") or androguard.package_name("com.video.ui") or androguard.package_name("com.qq.navideo") or androguard.package_name("com.android.sxye.wwwl") or androguard.certificate.issuer(/llfovtfttfldddcffffhhh/) }